{"id":"api-governance-enforces-stability-and-immutability","text":"OpenShift API governance operates through two complementary enforcement mechanisms: a tiered stability model (Level 1–4) with webhook admission control governs API behavioral contracts, while resource-field and platform-level immutability prevents destructive drift after creation — together ensuring that both the API surface and its instantiated resources maintain consistency.","truth_value":"IN","source":"","source_url":"","source_hash":"","justifications":[{"type":"SL","antecedents":["api-governance-spans-stability-and-admission","immutability-enforced-at-resource-and-platform-levels"],"outlist":[],"label":"depth-2 API stability/admission + depth-2 immutability enforcement combine into a comprehensive API governance model"}],"dependents":["unified-security-from-install-through-api-governance"],"metadata":{},"explanation":{"steps":[{"node":"api-governance-enforces-stability-and-immutability","truth_value":"IN","reason":"SL justification valid","antecedents":["api-governance-spans-stability-and-admission","immutability-enforced-at-resource-and-platform-levels"],"label":"depth-2 API stability/admission + depth-2 immutability enforcement combine into a comprehensive API governance model"},{"node":"api-governance-spans-stability-and-admission","truth_value":"IN","reason":"SL justification valid","antecedents":["api-stability-tiered-guarantee-model","webhook-admission-enforcement-model"],"label":"depth-2 — API governance has both a temporal dimension (stability tiers) and a runtime dimension (admission enforcement)"},{"node":"api-stability-tiered-guarantee-model","truth_value":"IN","reason":"SL justification valid","antecedents":["compatibility-level-1-stable-12-months","compatibility-level-definitions","consoleplugin-compat-level-1","image-content-source-policy-v1alpha1-level4","api-tier3-default-for-unassigned-groups"],"label":"API consumers can assess migration risk by checking compatibility level"},{"node":"compatibility-level-1-stable-12-months","truth_value":"IN","reason":"premise"},{"node":"compatibility-level-definitions","truth_value":"IN","reason":"premise"},{"node":"consoleplugin-compat-level-1","truth_value":"IN","reason":"premise"},{"node":"image-content-source-policy-v1alpha1-level4","truth_value":"IN","reason":"premise"},{"node":"api-tier3-default-for-unassigned-groups","truth_value":"IN","reason":"premise"},{"node":"webhook-admission-enforcement-model","truth_value":"IN","reason":"SL justification valid","antecedents":["webhook-communication-requires-tls","webhook-max-timeout-13-seconds","webhook-never-invoked-on-own-kind","webhook-required-fields"],"label":"These four constraints collectively define the safety envelope for admission webhooks — TLS for integrity, timeout cap for availability, self-exclusion for stability, required fields for correctness"},{"node":"webhook-communication-requires-tls","truth_value":"IN","reason":"premise"},{"node":"webhook-max-timeout-13-seconds","truth_value":"IN","reason":"premise"},{"node":"webhook-never-invoked-on-own-kind","truth_value":"IN","reason":"premise"},{"node":"webhook-required-fields","truth_value":"IN","reason":"premise"},{"node":"immutability-enforced-at-resource-and-platform-levels","truth_value":"IN","reason":"SL justification valid","antecedents":["resource-field-immutability-pattern","install-time-irreversible-constraints"],"label":"depth-2 — immutability operates at both the resource field level and the cluster-wide level"},{"node":"resource-field-immutability-pattern","truth_value":"IN","reason":"SL justification valid","antecedents":["route-host-immutable","ingress-domain-field-immutable-unique","ingressclass-controller-immutable"],"label":"Three independent immutable-field constraints form a write-once identity pattern"},{"node":"route-host-immutable","truth_value":"IN","reason":"premise"},{"node":"ingress-domain-field-immutable-unique","truth_value":"IN","reason":"premise"},{"node":"ingressclass-controller-immutable","truth_value":"IN","reason":"premise"},{"node":"install-time-irreversible-constraints","truth_value":"IN","reason":"SL justification valid","antecedents":["ocp-security-fips-install-time-only","cpu-partitioning-install-time-only","network-plugin-selected-at-install-time"],"label":"Three independent install-time-only constraints form a coherent class of irreversible cluster decisions"},{"node":"ocp-security-fips-install-time-only","truth_value":"IN","reason":"premise"},{"node":"cpu-partitioning-install-time-only","truth_value":"IN","reason":"premise"},{"node":"network-plugin-selected-at-install-time","truth_value":"IN","reason":"premise"}]}}